The following is a guest post by Lynda Martel is Executive Director of Government and Enterprise Business Relations at DriveSavers Data Recovery.
In today’s world, robust risk management is a must for healthcare organizations due to the combination of electronic medical records and the challenging environment of mounting digital attacks on vital corporate assets and the regulated data they are entrusted to protect. While most corporations have a multi-layered security practice, few healthcare organizations have the internal resources to recover lost data from a computer or storage system. The only way to retrieve critical information is to send the data to a secure third party data recovery vendor.
However, a surprising majority of third party vendors do not meet best practice standards for data security. If an organization does not perform its due diligence before endgaging the services of a data recovery vendor, it runs the risk of a major data breach, which could easily cost an organization or business tens of millions of dollars.
The good news is that changes to internal policies and procedures, combined with contractual changes with third party businesses handling the corporation’s data, will mitigate the risk posed by this exception that falls outside of the otherwise robust layered security protections.
These five steps will help to close the security and policy gap:
Step 1: Conduct Gap Analysis
The first step is to determine if a security gap exists within the organization.
• When a user’s device or a storage system goes down, are the failed drives being sent to a data recovery vendor? Under what circumstances?
• Is an incident report filed? Under what circumstances?
• Who chooses the data recovery vendor?
• Does the type of data to be recovered drive the vendor selection criterion?
• What is the current audit and assessment processes for data recovery vendors?
• Are the vendor’s security protocols vetted before engaging their services?
Step 2: Revise current internal and external policies
If a gap exists, determine what internal policy, procedures, and practice need to be revised.
• Internal policies and procedures, business continuity, disaster recovery, and incident response plans should address the use of data recovery service providers.
• Policies and guidelines should be established within the enterprise for vetting a data recovery service provider.
• Criteria for selecting data recovery vendors and the required supporting proof should be specified.
Step 3: Develop and operate enforcement mechanisms
Do these steps to make sure the new procedures are followed:
• Define documented and repeatable business associate risk management processes to address drive failure, data loss and the use of third party recovery vendors.
• Conduct mandatory annual security reviews of data recovery service providers.
• Develop and deploy employee training and awareness programs to ensure sensitive and confidential data are protected throughout the data loss and data recovery process.
• Establish strong enforcement practices for failing to adhere to the organization’s policies.
Step 4: Modify contracts with third party vendors to align with internal changes
Once policy changes are made with third party data recovery vendors, update contracts with high-risk third party vendors that handle the organizations sensitive data.
Step 5: Ongoing monitoring of the third party data recovery vendors
While many companies have excellent vetting protocols, data recovery vendors may require some special consideration for ongoing monitoring. These performance-monitoring controls should include:
• Annual review of vendor’s audit reports and certification documents to verify they are up-to-date.
• Assurance that the vendor is compliant with industry-mandated data privacy/security guidelines (SOX, GLBA, PCI, PII, CA SBI386, CA AB 1950, MA 201 CRM 17.03, NIST SP 800.34 (Rev.1), HIPAA, etc.).
• Annual on-site quality assurance reviews.
• Periodic analysis of the vendor’s financial condition.
• Assessments of compliance with contract terms.
• Testing the vendor’s business contingency planning.
• Evaluating adequacy of the vendor’s training to its employees.
• Periodic meetings with the vendor to review contract performance and operational issues.
• Anonymous testing of vendor’s service capabilities
Data recovery service providers will play a greater role in the corporation’s information life cycle as the number and complexity of devices increase to facilitate the flow of information. Given that there are no directives, standards, and best or reasonable practices, these steps help provide a roadmap for mitigating the potential risk of data recovery. The solution to this high impact risk requires policy and procedural changes and is low in cost. It insures that the confidentiality, integrity, and availability of the corporation’s sensitive information are maintained during the data recovery process.
DriveSavers is the only data recovery service provider in the industry to post proof that is undergoes annual, company-wide SOC2 Type II Audit Report and has met all forty-two HIPPAA data privacy and data security compliance standards.
Lynda Martel is Executive Director of Government and Enterprise Business Relations at DriveSavers Data Recovery. Martel is responsible for the company’s strategic data security initiatives and communicating the company’s data security/privacy protocols to internal and external audiences. Martel meets with data security professionals and regulatory authorities on matters that require new or revised guidance around the use of data recovery vendors, and was instrumental in helping the National Institute of Standards and Technology (NIST), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS) and the BITS Financial Services Roundtable identify the risks of improperly vetting data recovery service providers.